As we wrote earlier, well-known developer Rusty Russell found a critical vulnerability in earlier versions of the Lightning Network implementations. Then he advised all users to urgently upgrade to newer versions, otherwise, they could lose their coins. He said that he would reveal the details of the vulnerability at the end of September, and just recently he had fulfilled his promise.
ICYMI: Here are all the details of the recent Lightning bug. https://t.co/NVzKmGW5I6
— TheRustyTwit (@rusty_twit) September 27, 2019
According to Russell Rusty, this vulnerability arose during the creation and replenishment of trading channels. In the process of creating a new channel, the recipient could not verify the transaction output amount used to replenish the channel or use the scriptpubkey script.
The fact is that the LN network at the protocol level does not require such verification, so the attack organizer could inform about the opening of a new channel, transferring only part of the payment to the recipient or not sending anything at all. So the attacker could manage funds that were in the channel without notifying the other side. Since transactions are not recorded on the blockchain, it was possible to detect the consequences only after the channel was closed.
In mid-September, the developers recognized that the vulnerability was used in real conditions, without specifying the extent of the possible damage. Recall that earlier this week the number of active nodes in the Lightning Network exceeded 10,000.